In November 2014, application security service provider Adallom released a report aptly titled "Cloud Usage Risk...
Report," which addressed a number of cloud-specific risk and security issues observed over the previous year in Adallom's subscribers. A number of fascinating statistics were included that shed light on how many enterprises are failing to properly implement and manage security controls at cloud providers, with some emphasis on software as a service (SaaS) environments. Some of the more interesting data included in the report is:
- Most organizations do not properly manage user accounts for SaaS applications. Between 2013 and 2014, 11% of enterprise SaaS accounts were "zombies" -- meaning no active user was currently associated with them. In addition, Adallom saw 80% of companies with at least one zombie account -- which has belonged to a former employee -- that had not been disabled.
- The concept of least privilege often doesn't apply to the cloud. In many accounts, Adallom saw high numbers of admins, with as many as 7 for every 100 users.
- 19% of cloud application users bypass identity and access management controls where possible.
- 5% of a company's private files are actually publicly accessible in various cloud application environments, demonstrating a lack of access controls implemented in the cloud.
- 29% of employees share cloud application files with their personal email accounts.
- The average company shares information with 393 external domains.
These statistics are alarming for a number of reasons. First, these numbers imply that security teams may not have a great deal of involvement in configuring, monitoring and de-provisioning data and user account information within SaaS environments. Many security professionals are focused on overall cloud provider controls capabilities, as well as what third-party or internal tools can be ported to PaaS and IaaS provider environments. Many may be overlooking SaaS security in one or more ways. Second, the statistics strongly suggest that shadow IT in the cloud is happening in a big way, with data and user accounts exposed or left unattended for lengthy periods of time.
Creating a cloud app security policy
What should organizations do to get a handle on these security issues within SaaS environments? Before anything else, security teams need to ensure a cloud app security policy is in place that specifies control requirements for particular data types and tiers of sensitivity. This should align closely with a cloud risk assessment process for any proposed projects that evaluate the security controls status and capabilities of any provider being considered. In addition to the general security posture of the provider, there are several other critical points to pay attention to for SaaS environments.
First, enterprises should find out what type of identity and access management integration the provider offers. For example, a provider that natively integrates with internal LDAP stores like Active Directory, that supports SAML for identity data exchange and updates, and that also offers numerous APIs for identity management, will likely have more to offer for security teams that want to manage user identities more capably over time.
Then, enterprises must determine whether the provider supports data lifecycle controls, where inactive user accounts can be automatically suspended or short-term users can have a set lifecycle from instantiation.
Security teams must also find out what types of encryption and access control options are available for protecting access to data stored in a SaaS environment. For encryption offerings, determine where keys are stored and who controls them.
Administrative controls to the management console and dashboard are also crucial. Ideally, the SaaS provider has role-based access to the console and its features, as well as multifactor access with certificates, tokens and other methods that may integrate with existing enterprise controls and tools.
Lastly, enterprises need to determine whether logs of all activity within the SaaS environment can be obtained, how often they can be acquired, and in what format. Are direct log feeds available? If not, can APIs be used to access log data or scripts and automation tools? The more log and event data an organization can acquire in an automated and near real-time manner, the better it can integrate the data with SIEM and log management platforms to analyze user behavior in the SaaS environment.
The importance of SaaS security controls
SaaS security has not taken center stage as much as PaaS and IaaS security has in the last several years. With the large amounts of sensitive data stored in many SaaS environments, however, we can't afford for open permissions models, shadow accounts or zombies, or excessive privilege allocation to lead to major security issues. Enterprises should take stock of the SaaS environments they're currently using, assess the security controls and current state of users and data stored within them, and plan to do this diligently for any planned SaaS implementation in the future.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Check out this essential guide to evaluating and working with cloud service providers
Weigh your SaaS encryption options before making a decision